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Abstract. We show that (1) the Minimal False QCNF search-problem (MF-search) and 

the Minimal Unsatisfiable LTL formula search problem (MU-search) are FPSPACE complete 
CO ' because of the very expressive power of QBF/LTL, (2) we extend the PSPACE-hardness of 

Cn ' the MF decision problem to the MU decision problem. As a consequence, we deduce a positive 

answer to the open question of PSPACE hardness of the inherent Vacuity Checking problem. 

We even show that the Inherent Non Vacuous formula search problem is also FPSPACE- 

complete. 
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^ ' 1 Introduction 



o 



Cn . Recently, the notion of Minimal Unsatisfiable Linear Temporal Logic formula (MU for LTL) has 

^ ' been introduced in |32| . This notion is, for instance, fundamental to reduce the search space in LTL 

sat-solvers [11] , [TH] , or to understand the cause of unsatisfiability and enable debugging [32] , [31 1, 
F^ ' [H]- Intuitively, an element g G MU{f) from a LTL unsatisfiable formula / is a limit weakeningf] 

CO i of / such that g remains unsatisfiable. We consider the following two fundamental problems: 

rn 

f^ i MU-decision problem MU-search problem 

CN ' input: a LTL formula / input: a LTL formula / 

output: yes while / is minimal unsatisfiable, output: g 6 MU{f) while / is unsatisfiable, no 
no otherwise. otherwise. 

•i-H ' 
^> , 

\^ \ The aim of this work is to study computational complexity of the above MU-decision/search 

C^ ■ problems. The authors of [13] have shown that the MUcnf decision problem is D-'^-complete 

for propositional logic with formula in Conjunctive Normal Form (CNF) but it is in P while the 
deficiency is fixed |20j. An important effort has been devoted to approaches allowing to approxi- 
mate/compute MUcNF of propositional logic ( see, [37], [23], [26], [27], [S^). The Minimal False QBF 
decision problem is PSPACE complete [55] but it is in D^ for fixed deficiency ^5T[. However, only 
a few investigations dealt with MF 0S]. The author in [35] defines MU for LTL, and recalls that 
given a formula and a fixed occurrence, deciding if it is not necessary (w.r.t unsatisfiability) is 
PSPACE complete (MU-step-dec) . However, the MU decision/search problems (MU-dec/search) 



^ some substitutions by TRUE {resp. FALSE) of some subformula occurrences of positive (resp. negative) 
polarity 



remain open. A few work propose computation of MU for LTL [H] , [35] , [21] , [TH]. A recent work 
also proposed to compute minimal revision of an unsatisfiable LTL specification [17] in order to 
achieve the satisfiability. Some simple results for unrealizability of LTL formula (2-EXPTIME com- 
plete) are also given in [32]. In [5], the authors investigated the causes in counterexample of LTL 
specification and have shown that the decision problem is NP complete (by considering as inputs 
a LTL counter-example, a timestamped variable and a LTL formula). This work is built on the 
theory of causes introduced in [24]. Also based on the theory of [24], the authors in [8] analyze 
some variables as a cause of verifying a model checking test. In [B], the authors investigated basic 
algorithms for Minimal Unsatisfiable boolean circuit. Computing the minimal unsatisfiable formu- 
las in SMT is proposed in [TU]. Since a Minimal Unsatisfiable LTL formula is a particular case 
of inherent non vacuity |15 ) ,|32 ) . we consider also complexity result for inherent vacuity. Given a 
LTL Formula / and a fixed subformula occurrence Occ{g), deciding if Occ{g) is a witness of in- 
herent vacuity of / is PSPACE-complete but deciding whether there is an inherent vacuity in / 
is still an open problem [15]. While / £ LTL is a conjunction, the decision problem of a smallest 
equivalent subset of the /'s conjuncts (irredundancy) and of a given size is PSPACE complete [9]. 
Some works were devoted to the vacuity detection (see, [1] , [2S] , [3] , [IH] , [31] , [E] , [S] ) ■ To summa- 
rize, although substantial complexity results have been provided in the propositional case, current 
corresponding complexity results for LTL appear to be less studied than in the propositional case. 
Mainly, complexity results for minimality problems in the LTL case assume additional subformula 
or length parameter in the definition of the problem. In this paper, we show that (1) the Minimal 
False QBE search-problem (MF-scarch) and the Minimal Unsatisfiable LTL formula search problem 
(MU-search) are FPSPACE complete because of the very expressive power of QBF/LTL and (2) 
we extend the PSPACE-hardness of the MF decision problem to the MU decision problem. As a 
consequence, we provide a positive answer to the open question of PSPACE hardness of the inherent 
Vacuity Checking problem. We even show that the Inherent Non Vacuous formula search problem 
is also FPSPACE-complete. 

For uniformity purpose we introduce QLTL [QBF C QLTL and LTL C QLTL) in Section 
2. We also discuss the notions of weakening for QLTL formulas and minimal unsatisfiable LTL 
formulas. In Section 3, we start by analyzing the complexity of Minimal FALSE QCNF formulas, 
then, we enhance the translation of QCNF sat to LTL Model Checking to show complexity results 
for the LTL MU-search problem. Finally, we propose an original proof of PSPACE completeness 
of the MU-dec problem. We reuse these results in order to provide complexity results for Inherent 
Vacuity Checking. We conclude in Section 4. 

2 Preliminaries 

Complexity 

We recall the basic definition of computational complexity [30], [35]. Let U be an alphabet, a total 
deterministic computable function / from S* to 17*, associated with a total (at left) binary relation 
R{x, y) £ S* X S* with input x £ U* is an always accepting deterministic Turing Machine with three 
tapes: a 'two- ways' 'read-only' input tape (where x lies), a 'two- ways' 'read/write' computing tape 
and a 'one-way"write-only' output tape with output f{x) such that R{x, f{x)). A FPSPACE search 
problem with relation R is such that there exists a polynomial P such that R{x,y) => \y\ < P{\x\) 
and there exists a function / such that for any x, the total use of space units of the machine (of 
the output and of the working tapes) is also bounded by P(|a;|). A decision problem associated to a 
language L C S* over a fixed alphabet S is PSPACE iff there exists a FPSPACE function / such 



that given any input x £ S* , f{x) — ^yes' iS x G L (thus for instance f{x) — ^nd while x ^ L). A 
logspace function is a function / using 0{].og{\x\) space at the working tape but no constraint at the 
ouptut tapO There exists a logspace reduction of a decision problem L\ C 17* to another Li C E* 
iff there exists a particular logspace function / such that a; G Li iff /(x) G L2. There exists a logspace 
reduction from a relation R\ to a relation i?2 iff there exists three functions /, 32, h with function 
/ and h are logspace functions, and gi is a i?2 function such that for any x, R\{x, h{g2{f{x)), x)) 
holds, i.e., given a x one can compute a y with Ri{x,y) by (1) computing /(x), (2) computing 
z = giifixj) with R2{f{x),z) and (3) computing y = h{g2{f{x)),x). A PSPACE decision problem 
is PSPACE-complete iff any PSPACE-problem is logspace reducible to it. A FPSPACE search 
problem is FPSPACE complete iff any FPSPACE problem is logspace reducible to it. We quickly 
recall that a NP decision problem is a decision problem which is solvable by a Non-deterministic 
Turing Machine, in polytime for the positive answer. D^ is the class of languages of the form Li nL2 
with LI a NP problem and L2 a Co-NP problem (Intuitively one positive call and one negative call 
to a NP-complete problem) . S2 is the set of decision problems with a non deterministic polytime 
Turing Machine, but with a NP-complete oracle. We recall that NP C D^ C E^ C PSPACE, 
without knowing whether the inclusions are strict. The reduction from one of the non deterministic 
problem is usually through a deterministic polytime computable function rather than a logspace 
function. 

QLTL |2] 

Let P be a non empty finite set of propositional variables, p G P and A and B are two QLTL 
formulas. A temporal logic formula is inductively built by means of the following rules: 

TRUE IFALSE \p\AAB \AV B \^A\X{A)\AUB \AWB \3pA |Vp^ . 

Furthermore, g{A) = AW FALSE and T{A) = TRUE Z^ A. In this paper, while some definitions 
hold for QLTL formulas, the focus is on two fragments of QLTL: Quantified Boolean Formula 
(QBF [35]) and Linear Temporal Logic (LTL [16 J. QBE is the fragment of QLTL without modal 
operators {U, W, X, T , Q) and LTL is the fragment without quantifiers (3, V). Both the satisfiability 
and Model Checking decision problems of LTL and QBF are PSPACE complete on the contrary 
to the satisfiability problem of QLTL which is non-elementar50 and the model checking is however 
PSPACE complete [29]. The set of QBF without quantifier is denoted PROP and is NP-complete 
[l2j. A QLTL formula is in Prenex form iff it is of the form Qxcj) with Qx = QixiQ2X2---QnXn with 
Qi £ {V; 3}, and x — {xi, ..., Xn) standing for a set of different variables, and </> without quantifier. 
In the following, we will assume that any QLTL is in Prenex Form. Except for the case of Vacuity 
checking (see Section 3), we will also restrict any formula to possibly contain ^ symbol solely applied 
to propositional variable(s) |18]. We call such a formula Negative Normal Form (NNF). 
A propositional variable p in a QLTL / is free iff there exists an occurrence of p in / which is 
not in the scope of a quantifier. A closed QLTL is a QLTL without free variables. A literal / is 
either a propositional variable p £ P, or its negation -^p. lit{P) denotes the set of literals of P. Wqfj 
define ~ (1) on literals as ^ p — -ip and ^ -ip — p; (2) on quantifiers as ~ V = 3 and '-~^ 3 = V 
and ^ {QiQ)xix =~ {Qi)xi ^ {Q)x. A clause is a disjunction of literal(s). A QLTL-clause is a 
disjunction of literal(s) and/or modal operator(s) applied to literal(s) (e.g., {aU^h)\/ ^cM T{d)). We 



^ However, one can show that the output is polynomial in |a;| yet. 

^ Elementary is the class of decision problems for which the execution time is bounded by a finite compo- 

sition of exponential in the input size |a;| (e.g., C(2 ) unit times). 
^ This definition is necessary because -i^p is syntactically different from p. 



finally say that <P G QBF is a QCNF if it is of the special prenex form Qx(j) with a conjunction 
of different clause(s). In this case, if (p gets no quantifier then it lies in CNF C PROP. Note 
that the QCNF-sat decision problem is also PSPACE complete by adapting the proof of [35] to 
the QCNF case. By analyzing the proof of the PSPACE-hardness of QBF in [35], one can also 
show that the QBF-sat-search problem is FPSPACE-complete. This is the problem of searching a 
satisfiable valuation of the free variables of the QBF formula while it is satisfiable. To prove the 
FPSPACE hardness, let consider the following points. Since the output tape is PSPACE bounded 
in the definition of a FPSPACE problem, the configurations can also contain output tape variables. 
This is then sufficient to remove the external existential quantifiers of the configurations in the 
proof of [3S] to prove QBF-sat search is FPSPACE-hard. The inclusion in FPSPACE is trivial. 
A linear time structure is an element M in (2-^)'*'. Vi G N,V7W£ (2-^)^: 

— {M ,i)\= p with p e P iS p e M{i). 

— {M,i)^ X{A) iS{M,i + l)^A. 

— {M,i) \= AUB iff 3j >i,iMJ) NB and Vfc,i < k <j,{M,k) ^ A. 

— iM,i) \=AWB [S\fj >i,{M,j)\^ A 01 ( 3j >i,{MJ)^Band\fk,i<k<j,{M,k)\=A). 

— The semantics of any propositional combination is defined as usual. 

— {M,i) 1= 3p (A) iff there exists a linear structure 7W such that {A4',i) N A and where Ai' 
differs from M solely at the instances of p. 

— {Ai,i) N \/p{A) iff for any linear structure A4' such that Ai' differs from A4 solely at the 
instances of p then {A4',i) \= A. 

A partial instance is a linear structure where solely some variables are instantiated (at any 
state). 
We write down Mt for the suffix of A4 starting at time t. 

A Kripke Structure K, is a, labeled automaton /C = {S, Sq,T, I) with S the set of states, 5*0 C S' 
the set of initial states, T C S x S a. total binary relation standing for the transitions and / a total 
function from 5 to 2^. A /C-linear structure is any linear structure A4 such that there exists a 
function m in 5^^ such that rn(0) G 5*0 and Vi > M{i) = l{m{i)) and {m{i),m{i + 1)) G T. We 
note /C N / iff any /C-linear structure M. is such that [M., 0) 1= /. In this paper we restrict ourselves 
to finite Kripke Structure. It may happen that a state s occurs in a formula, without confusion, it 
stands for the conjunction of its literals /\p^i[s)P Ap^p\i(^s) ~'P- 
Let / be a QLTL formula, a syntactic tree T(/) is defined by the following rules: 

^ T(p G P) is a single node labeled by p. 

— T{og) is a tree with a root node which is labeled by o (o g {->; X; 3; V}) and a child subtree 
T{9). 

— T{gi o 32) is a tree with a root node which is labeled by o (o g {U; W; V; A}) with a left child 
subtree T{gi) and a right child subtree T{g2). 

A subformula /i of / is a 'subword' of the 'word' / such that h is a also a formula, and the set of 
subformulas is denoted sf{f). We will also write Cl{sf{f)) the set of clauses which are in sf{f). 




For instance sf{{a^b)U^a) = {a; b;aAb; ^a; {a/\h)U^a}. The set 
of subformula occurrences Occ{sf{f)) corresponds to the set of 
nodes of T{f). For each node N, a natural subformula Sf{f){N) 
can be associated with the subformula of the A^-root subtree of 
T(/). For instance on Figure 1, Occ{sf{{a A b)lA^a)) gets two 
occurrences of the subformula a. Furthermore a A 6 is associated 
with the labeled node A. We also define Cl{Occ(sf{f))) as before. 
Let g be another QLTL formula, f[h i~ g] is the result of the 
substitutions in / of all the occurrences of /i by g. For one specific 
occurrence of h denoted Occ{h) € Occ{sf{f)), f[Occ(h) <— g] is 
the result of the substitution in / of the only occurrence Occ{h) 
of h by g. 

We divide Occ{sf{f)) into two disjoint sets: Occ{sf{f\) — sf'^{f) U sf'{f) where sf'^{f) is 
the set of the subformula occurrences with positive polaritjo- We fix lif^if) = sf'^{f) n lit{P) with 
e G {+; — }. Finally if Occ{g) G Occ{sf{f)) then Occ{g') G Occ[sf{f)) is a superformula occurrence 
of Occ{g) iff Occ{g) is a descendant node of Occ{g') in T(/). For instance on Figure 1, -la is a 
superformula occurrence of the 'second' occurrence a in -la. If /C is a Kripke structure and s a state 
of /C, then for any /C-linear structure {A4,m) different from S*s'^, Ai[s <— erase] is the modified 
{Ai,m) where any corresponding occurrence of s has been erased. 

We call weak promise wp any occurrence of subformula of an QLTL formula / of the form (AUB) 
or (AWB) (we recall T{B) = {TRUE)UB), with B ^ FALSE which is called a promise operand. 
We will say that a timestamped state (i, m{i)) of a /C linear structure A4 triggers a weak promise 
wp iS f = Z A g{C ^ X''[{{wp W H) o D) A E)]) with o g {U;V}, A: G N and such that 
{A4, i) \= C A X''{-iD A ^H). We will say that a timestamped state (i, to(z)) of a A^ linear structure 
M propagates or postpones a weak promise wp iff (1) there exists i' with Q < i' < i such that 
(i', m(i')) triggers wp and (2) either (A^, j) \= A A -^B where k < i — i', for any i' + k < j < i, with 
B the promise operand of wp, or k > i — i' . We finally say that a weak promise wp is fulfilled at 
(i, m{i)) iff there is a i' with i' < i where wp is triggered and propagated until i where {Ai, i) \^ B 
with B the promise operand of wp. 

Weakening QLTL formulas and Minimal Unsatisfiable QLTL formulas 

For (Quantified) propositional logic, a basic weakening is essentially defined as the deletion 
of a clause in QCNF [22 . It is extended in [7J as the substitution of a particular 'maximal' V- 
subformula (a disjunction) occurrences by TRUE while the formula is in QBF n NNF. However, 
for Linear Temporal Logic and related Model Checking, a basic weakening is usually defined for 
any subformula occurrence [32| . In what follows, we compare these various definitions and describe 
which occurrences are necessary and sufficient to consider in order to check the minimality of an 
unsatifiable formula. 

Definition 1. ( Basic clausal weakening for QCNF) 

Let f = Qx{CiA...ACm) an element of QCNF with the clauses Cj. Then a basic clausal weakening 

of f is f[Cj„ <- TRUE] for some jo G [1; m]. 



^ A subformula occurrence with positive polarity is a subformula occurrence which is in the scope of an 
even number of negation(s). The negative case corresponds to an odd number of negation(s). 



For /i , /2 and / in QCNF the relation of basic clausal weakening Rci(sf) is such that Rci(sf) (/i i /2) 
iff /i is a basic weakening of /2. If RqUs n i^ ^^® reflexive, transitive closure of Rci(sf) i then the set 
of weakened subformulas of / is Wci(sf){f) = {g ^ Q^^^\-^ci(sf)(9' /)}■ 

Definition 2. (Basic Occurrence Weakening in QLTL 1321) Let f e QLTL, a basic occurrence 
weakening is a formula g such that g is the result of a substitution in f of either (1) a subformula 
occurrence in sf^{f) by TRUE, or (2) a subformula occurrence in sf^(f) by FALSE . 

For instance if / = Q{^c\/ {a V {{^b) Uc))) then g = Q{^cWTRUE) is a basic occurrence weakening 
of /. Except for case of vacuity checking (see section 3), we will restrict ourselves to occurrences in 
sf^ . Rsf+ and Wsf+ are defined similarly as Rci(sf) and Wci(sf)- However, while the occurrence of 
/i = x\J{c^{{-^b)We)) is substituted by ri?C/£: in / = 32;(^rA(rV(J"(a;V(cA((-6)We))))) then the 
resulting formula /' = 3a; (^r A (r V {T{TRUE))) is trivially equivalent to /" = 3x{^r A {TRUE)). 
Consider Eq^ E (S'/+(/))^, with Eqo{Occ{fi),Occ{f2)) iff Occ{f2) is a superformula occurrence 
of Occ(/i) and /a gets one of the following forms /i V Z,AU/W{fi), {fi)WFALSE, or X{fi). 
Then, if Eq is the symmetric, reflexive, transitive closure of Eq^^ and if Eq{Occ{fi), Occ(/2)), then 
f[Occ{fi) <— TRUE] = f[0cc{f2) <— TRUE]. A class representative of a class Cla from Eq can 
be the (right jj maximal element of Cla with respect to Eq^. For the last example Cla{Occ{fi)) = 
Cla(0cc{f2)) with Cla{Occ{f2)) = (r V {F{x V (c A ((-6)We)))) and Cla{Occ{f2)) is maximal. It 
is then sufficient to consider solely a 'maximal' representative per class for weakening analysis as 
for the QBF case [7] . But if the maximal class representative or a minimal class representative is a 
conjunction or of the form AU/WB with A ^ TRUE and B ^ FALSE, then it is not correct to say 
its substitution by TRUE is a basic weakening, since any of its conjunct/A substitution by TRUE 
weakens / 'less' than the conjunction or AU/WB. For instance, if / = 3&[(c A -^d) V 6 V d], then 
solely the occurrences {c; -'d; } are the 'weakest' maximal non-conjunctives occurrences. Similarly, 
if / = 3x{^r A (r V {T{x V (c A {{^b)We))))) then {-r ; c; -i6} are the weakest maximal non- 
conjunctive occurrences. We then define a weakest basic weakening of maximal non-conjunctive 
subformula occurrences ( Weakest-Max weakening, for short) as follows. 

Definition 3. (Weakest-Max weakening for QLTL) 

A weakest basic weakening of maximal non- conjunctive subformula occurrences, is a basic Weak- 
ening of 'maximal ' non- conjunctive subformula occurrence Occ, where Occ is the maximal repre- 
sentative element w.r.t. Eq^ of Cla{Occ), and Cla{Occ) does not contain any Maximal/minimal 
element which is a conjunction or of the form AU/WB with A ^ TRUE and B ^ FALSE. 

WeakestMAX{sf+){f),RweakestMAX(sf+) and related weakened formulas VFH/eQfcestMAX(s/+)(/) 
are defined as previously. 

Definition 4. (Minimal Unsatisfiable QLTL Formula) Let O be the mapping from any formula 
f G QLTL to a set 0{f) C sf^{f). A QLTL formula g is Minimal Unsatisfiable w.r.t. O (g & 
MUo) iff (1) g is unsatisfiable, (2) g gets no unsatisfiable proper weakened subformula w.r.t Rq (i.e. 
Wo{g) n UNSAT = {g}). If f is an unsatisfiable QLTL formula, then MUo{f) = MUo n Wo{f). 

For instance, if / = a A -.a A F{o) A Q(^c) A g{o ^ [F[p) A F{g))) A {-^g)Wp A F{i) A (-.i)Wp A 
g{p ^ g{^i)) then MUsf+ (/) = {a A -a A TRUE; TRUE A J"(i) A {^i)Wp A g{p ^ ^(-J))}- Also 
note that the set MUo{f) is identical (by simplifying any TRUEM ..., A^TRUE, AU/WTRUE 
or g{TRUE) by TRUE) whatever the O be from our two precedent definitions of weakening 



For subformula occurrence there is only one right maximal element 



(O G {s/+; WeakestMax{sf'^)}). Thus, in the foUowing, we wih solely write MU instead of MUq- 
If / is closed, then the unsatisfiability becomes Falsity and we call minimal FALSE (MF) instead of 
MU. In the remaining part of this paper, the MU-dec/search problem is restricted to the elements 
of LTL, and the MF-dec/search problem is restricted to the elements of QCNElfl- 

3 Complexity results 

The MU-dec problem is obviously in PSPACE^^^'^^'^ = PSPACE. To show the hardness one 
adapts the proof of hardness for MF-dec [22 to LTL. As a corollary this shows the PSPACE 
hardness of the Inherent Vacuity decision problem. To show the FPSPACE-hardness of MU-search, 
we start by showing the FPSPACE-hardness of MF-search in QCNF, then we enhance a QCNF 
sat / LTL Model Checking reduction from [M]. We conclude that the inherent non vacuous search 
problem (INV-search) is FPSPACE-complete. 

Minimal False Formula in QCNF 
We need two lemmas to prepare the proof. W.l.g. , we fix O = Cl{sf). The first one has been proved 
in [35] but it is recalled to understand its extension later. 

Lemma 1. J2^ Assume <P ~ \lyQx(j) *s in MF. Then either only y £ lit^{<P) occurs or only 
-ly G lit~^((l>) occurs in (j). 

(proof) # = WyQxcj) is FALSE iff $[y ^ TRUE]A^[y ^ FALSE] is FALSE iff ^[y ^ TRUE] 
is FALSE or ^[y ^ FALSE] is FALSE. For instance if $[y ^ TRUE] is FALSE, then if a clause C 
containing y G lit~^{<P) is in (/> this clause can be substituted by TRUE and {(P[y <r- TRUE])[C[y <— 
TRUE] *~ TRUE] = (<^[C ^ TRUE])[y ^ TRUE] remains FALSE. Then <P[C ^ TRUE] is 
FALSE. However, it contradicts the assumption <!> is in MF. We conclude that there is no occurrence 
oi y e lit^{<P) while <P[y <- TRUE] is FALSE. The other case is similar. 

Lemma 2. Let <1> — Qx(j) be a QBF in Prenex Form. <P is LOGSPACE reducible to an equivalent 
QCNF denoted QCNF{<P). 

(Proof) Let Set — {x^} be the starting set with x^, a fresh variable, and UCS — the starting 
set of clauses. <? is LOGSPACE reducible to an equivalent QCNF by applying the following rules 
until reaching a fixpoint: 

— If a;^ = a^Vi AV'2 G ^^^ then \/j G {1; 2} UCS :— {x^ => x^p^ } U UCS and \/j Set :— Set U {x^- }. 

— If a;^ = 2:^jv?/j2 £ Set then UCS :— {x^ => (x^^ V x^p^)} U UCS and \fj G {1;2} Set :~ 
SetU {x^.}. 

— If x^ G Set is such that ip G lit{P) U {TRUE; FALSE} then UCS := {x^ ^ V} U UCS. 



Let x' be a vector standing for the set Set and (j)' = x^AceucsC, then QCNF{<P) — Qx3x'<f>' 



<P. 



Theorem 1. ( MF-Search) Given <I> a closed QCNF, providing a MF of <!> if <P is FALSE, and 
answer 'no' if $ is TRUE is a FPSPACE complete problem. 



In this case WeakestMax{sf^) and Cl{sf) are identical 



(proof) The inclusion in FPSPACE is rather obvious. Let ^o = Qy4'o ^ QBF in prenex form 
with free variables x — {xi, ....,a;„). Then ^o is satisfiable iff Vx^'Po — Vx{^ Q)v^<t>o is FALSE. 
According to lemmalU iiW = Vx(~ Q)y'^ip is a MF of QCNF{Wx^^o) = Vx(~ Q)y3z(j)' , then there 
exists a corresponding partial instance X{-^;x) of the x deduced from ^ such that W\x -^ -^('i'.s)] is 
FALSE. Moreover </)' N i/j and then we deduce (~ Q)y^(t>o\?^ ^ ^^(■z^.x)] = {^ Q)y3z(f)'\x 4- 1-(qf^x)\ t= 
(- Q)y3zij\x i~ I{<p.x)] = FALSE. This means that TRUE = -.[(- Q)y3zij[x ^ T{<i^.x)]] t= 
Qy(j)o[x -^^ I(j;/.5)], i.e., ~ I{>p^x) 1= ^o- Thus, finding a satisfiable model of a QBF is LOGSPACE 
reducible to the search problem of a MF of a closed QCNF. This proves the FPSPACE hardness 

m- 

Deciding Minimal Unsatisfiable LTL formula 

W.l.g. we solely consider O = WeakestAIax{sf^). 

Lemma 3. (Definitional SNF US}/ ) Any LTL formula f can be LOGSPACE reduced to an equi- 
satisfiable formula in (F,X)-TL |7]/ of the form f = Xf/\2<i<mfi where any f^ is one of the following 
"globally" scoped LTL-clauses-based forms : Q{x\/ T(x')), Q{y\/ X{y')) or Q(w\J w' \/ (6 /\w")) . The 
Xf,x,x',y,y',w,w',w" are literals and S 6 {TRUE: FALSE^^'^. Furthermore, no pair of literals 
in the scope of a Q operator have the same propositional variables. Finally, /\2<i<mfi is satisfiable 
with a model M' which sets Xf to FALSE at M'{0). 

(Proof) 

Let the starting set Set — {xf} with Xf a fresh variable, and UGS — the starting set of unwound 
LTL-clauses. Let us apply the following rules until reaching a fixpoint: 

— If x^, = a;^iAV2 e Set then Vj £ {1;2} UGS := {x^ => x^^} U UGS and Vj G {1;2} Set := 
Set U {x^- } 

— li x^ = a;^jVi/'2 S Set then UGS :— {x^ => (x^,j V x^^)} U UGS and Vj £ {1;2} Set := 
Set U {x^. } 

— If x^ = x;^(^^^) £ Set then UGS := {x.^, =^ X{x^-^)} U UGS and Set :— Set U {xi^^} 

— If x^ = a;^ji^/w^2 ^ Set then UGS := {x^ ^ {x^^ V {x^,-^/\x(4!)))} U UGS and Set :— Set U 
{a;i/,2;a;^jAA'(i/')}- ^^ the case of U, we add UGS := {x^ =>■ Fixji,^)} U UGS 

— If x^ € Set is such that ?A G lit{P) U {TRUE; FALSE} then C/C5 := {x^ ^ V} U f/CS* 

with x^ . fresh variables at each step. It turns out that /' — Xf /\f"eucs Q{f") is equi-satisfiable 
to /. Furthermore, /\f"£ucsG{f") is satisfiable with a model A4' at FALSE at any time for any 
propositional variable. This proves the lemma. 

Theorem 2. (MU-dec) 

Deciding if an unsatisfiable LTL formula is a minimal unsatisfiable formula is PSPACE-complete. 

(proof) For any element in W eakest — M ax{s f^ (f)) , substitute by TRUE and check unsatisfiabil- 
ity. / is a MU iff any substitution leads to a satisfiable formula. There is a linear number of subfor- 
mulas, and any checking is in PSPAGE. Thanks to lemma[3]any LTL formula / can be LOGSPACE 
reduced to an equi-satisfiable formula of the form /' = x/ /\2<i<m f'i with any // is one of the fol- 
lowing forms : Q{x\/ F{x')), Q{y\/ X{y')) or Q{w\/w' V {5 Aw")). Furthermore, let A^' defined as in 
lcmma[3l Let qi, ..., am some subformulas of/' such that ai = x/ and f- = Q{ai) for 2 < i < m. Let 
xi, ..., Xm be fresh boolean variables, and tt.^ = xiV..Xi_i VXi+iV..VXm. Let "^" be defined as follows: 
■-l =~ / for / a literal, ''X{1) = X{^ I) and --^{1) = G{^ I)- Let uj{f') the conjunction of the following 



Once S is instantiated, the formula is simplified to the equivalent clause 



subformulas: {X {xi)\/ aiViri) A2<i<mG (ctiWiTi) , {->xi\/ ^x fViri) A2<i<m/\opeaiQ {'^opWiTiW ^Xi) where 

op is an operand of the LTL-clause a^, Ai^j{^xi V ->Xj) A2<i<j<m G{^Xi V -^Xj), Q{X{-ixi)) V tti, 

xi V ... V Xm- Assume A(/') = a;(/') \ {xi V ... V x„J. We will show that uj{f') is a MU iff /' is 

satisfiable. 

A- If w(/') is MU then /' is satisfiable. 

If a;(/') is MU then A(/') is satisfiable. If 7W is a linear model of A(/'), there are two cases: (1) 

Either any Xi is False at any time point j in M{j) and (7W,0) N A(/') iff (A^,0) 1= /'. Thus, /' is 

satisfiable. (2) Either there exists a time point j and some Xi such that Xi is True in M{j)- In this 

case we have: 

- If TTi is FALSE at M{0), then thanks to g{X{^xi))\/T:i, either xi is TRUE at M{0) and it wih 
never hold later (but in this case (7W,0)i^ A(/') because (A^,0) J^ (A'(a;i)VaiV7ri)A(-iXiV-ia:/V 
7ri)A(t/(A'(-ia;i))V7ri)Ai^j' (-ixi V-ia;j')), or xi will never hold on A^, then i > 1 and:;' > 0, but 
in this case (7W,0) F A2<i'<j'<mS(~'a;i' V-iXj/)A5(aiV7ri)Aopeai0("opV7riV-iXi)A^(A:'(-ia;i))V7ri 
since (X, j) J^ A2<t'<j' <mhxi' V -.a;^') A (a^ V 7ri)Aop«Eai("opV7r, V -.x^). Thus (M, 0) i^ A(/') 

- If TTi is TRUE at M{0) then i > 1 and for instance j = 0. We deduce (A^,0) J^ Ai-ij'{^xi V 
-■Xj') A2<i'<j'<m t/(-,Xi/ V -iXj') A t/(aj V 7ri)AopeQi0("opV7ri V -iXj). Thus (A^, 0) K A(/'). 

Thus only the case (1) is possible, i.e., /' is satisfiable. 

B- if /' is satisfiable then u;(/') is MU. 

Assume /' is satisfiable. We have to show that uj{f') is (a) unsatisfiable and (b) minimal. (1) Assume 

w(/') is satisfiable by a model Ai, then only one of Xi is TRUE at A^(0) but this is the unsatisfiable 

case of A-(2), which is a contradiction. Thus a;(/') is not satisfiable. (2) Let g he a. subformula in 

the conjunction of /'. We will show that 7(/) — oj{f') \ {g} is satisfiable for any g: 

- case g = X{xi) V ai V tti. Let M he a model with xi TRUE only at M{0) and FALSE later on 
and the other XiS are always False on M. Then {M, 0) 1= 7(/') iff {M,0) \= {^Xi V-iX/ Vtti) A2<i<m 
g{ai V TTi), and fixing the other variables as in M' is sufficient to show {M, 0) N 7(/'). 

- case g — Q{ai VTr^). Let A4 be a model with Xi always TRUE on A^ and the other x^'S are always 
False on M, then {M,0) \= 7(/') iff (A^,0) N AopeaiGi'^opViTi V -iXi). The ops does not have the 
same propositional variables, thus by setting in A^ the literals of Lit{op) always to FALSE for any 
ops of Ui leads to {M,Q) 1= 7(/')- 

- case g = xi V ... V x„i then if any Xi is always FALSE, and since /' is satisfiable and according to 
l.(a), (A^,0)N7(/'). 

- case g = (-ixi V -ix/ V tti). Let A^ be a model with xi TRUE only at M{0) and FALSE later on 
and the other Xis are always False. Setting the other variables as in a model of /' is sufficient to 
show(A4,0)N7(/'). 

- case g = Q{~'op\/'Ki V -^Xi). Let A4 be a model with Xi always TRUE and the other Xjs are always 
False on M.. Setting literals in Lit{op) always to FALSE while --op is in 7(/') and the remaining 
Lit{op) of ai always at TRUE is sufficient to show {M, 0) N 7(/'). 

- case g — Q{X{^xi)) V tti. Let AI be a model with xi always TRUE and the other Xis are always 
False on M. Setting x/ at FALSE at M{0) is sufficient to show (M, 0) N -/(f). 

' case g — -ixi V ~'Xj. Let A^ be a model with xi and Xj always TRUE and the other Xis are always 
False on M. One gets {M,0) N -/if')- 

- case g = Gi~'Xi V ~'Xj). Let A^ be a model with Xi and Xj always TRUE and the others Xi are 
always False on M. One gets {M,0) t= 7(/')- 

Since the satisfiability decision problem of LTL is PSPACE complete [1 , and it is LOGSPACE 
reducible to the MU decision problem, MU-decision is PSPACE hard. Consider now the problem of 



deciding whether, given a LTL formula g, there is a strengthenin g!^ H of g which is still equivalent to 
g (Inherent vacuity with single occurrence [H]). Let g — -^uj{f). Since a PSPACE-complete problem 
also gets its Co-problem be PSPACE-complete, one gets: 

Corollary 1. The inherent vacuity decision problem (with single occurrence) is PSPACE-complete. 
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Fig. 2. /C and IC' for <P = Va::iVa;23a;33a;4(a::i V 13) A (a;i V X4 V -1x3) A (-'a;2 V ^2:4) 



Canonical reduction of QCNF into LTL Model Checking [H] 



Let <? be a closed QCNF. Thus, ^ = Qx0 with (?!< G CA^F is of the form (j> = Ai<j<mCj, where 
any Cj is a clause and \x\ = n. We begin to recall the existence of a Kripke structure /C and a LTL 
formula !f such that: /C N tf iff * is FALSE [14]. 

We start by the example <P = Va;iVx23a;33a::4(xi V 2:3) A {xi V 0:4 V ^xs) A {^X2 V -1x4). The Kripke 
structure K. is shown Figure [21 For space commodity, /C is indicated by the arrows with simple 
arrowhead (do not consider double arrowheads). Intuitively a path at the 'above' part of /C instan- 
tiates the variables of (f) (by choosing to display x? or xj), and a path at the 'right' part displays 
any choosen literal per clause (Ij.k)- Consistency constraints (1) between instances of variables and 
displayed literal per clause and (2) to express universal quantifier of (p are expressed in the LTL 
formula <?■. In the general case /C and 'F are defined as follows: 

Let P be the set of the following fresh propositional variables for LTL formula: 



^^ some substitutions by FALSE (resp. TRUE) of some subformula occurrences of g with positive polarity 
(resp. negative polarity) 



- aa, bo - yj I < j < m, dj, Cj, Vfc, l^j^f,) with Cj = 

- Vi 1 < i < n, x^, x], ai , h yi<k<kjit{l{j,k)) 

Moreover, any Itj^k) ot xl is a prepositional variable standing for a literal written down lit{liji^\) 
as a literal of Cj, lit{x1) — ^Xi and lit{x}) — Xi, with Xi £ x. 
Let a Kripke structure /C = (S*, {6o},T, Z) where any state is defined by its label. For s e 5, if 

l{s) = {pi, ...,pg}, then (pi, ...^Pq) denotes s. Furthermore, bo is the solely starting state. /C is the 
smallest Kripke structure allowing the following transitions: 

- ibQ,ao)^ - {dj,l(j^k)) , {l{j,k),ej) for any j,k such that 

- (oi, bi+i) for any i, < z < n — 1 ^ < j < m, 1 < k < kj, 



{bi,x°) , {bt,xl), (x°,a,), {xj,ai) for any i, 
l<i<n 



(cj, dj+i) for any j\l < j <m-l 



- {an, di) - (e™, bi) for any i\0 < i < n , 

In case of no confusion, we will write pi, ...,pq to denote the canonical conjunction of its literals: 
/\i<t<qPt/\peP\{iii<t<g{pt})^P ■ Let ^univ = \\Q,=vGia^i => [{{-^bi-i)Ux°)AX'^{x})]) standing for 
the constraints enforcing a potential /C linear model to first visit the state xl for any Qi ^ V and later 
visit x^. Furthermore, as long as both states have not been visited, any /C linear model cannot go 
back to the previous x^ states for j < i. Let <l'co7is = \z.j,k,e)\iit{xi)=~ut(i^j^k^)G{xl =^ {{^kj,k))^bi)) 
which stands for the constraints enforcing the consistency of the instantiated variables Xi of 'P at 
FALSE (a;°) or at TRUE (xj) with their opposite literal occurring in the clauses. Finally, let 
^ = -^{'I'univ A ^cons)- Then, the authors of [H] have shown that /C N tf- iff ^ is FALSE. 

Searching Minimal Unsatisfiable LTL Formulas 

Theorem 3. (MU-Search) Given a LTL f, providing a MU of f if f is unsatisfiable, and answer 
'no ' if f is satisfiable is a FPSPA CE complete problem. 

(proof) 

Assume the same notations of the canonical reduction. At this step, encoding /C into a LTL formula 
(pjc = bo Ases G(S => "^(V/j- ~,-)g^s') and study the extraction of a MU of <Pic A -^'F is tempting. 
However, for instance, it cannot ensure that a MU of <P]c A ^F gets a corresponding MF because 
a MU may be without some 'universal' subformulas occurrences of the form sfi — Q{aiZi =^ 
[{{^b^-i)Ux°) A X'^ix})]) which may not lead to a QBE (e.g., if # = \/a\/b{a V 5) A {^a V 6), then 
9 = [^AC A -^'F][sfi ^— TRUE] is still unsatisfiable and a MU of g does not correspond to any MF of 
<l>). We then have to create a new Kripke structure /C' by adding variables and several branches in /C 
(supported by double arrowheads) to enforce most of the subformulas occurrences to be necessary, 
i.e., to remain in any MU of <Pic' A -^F. To do so we also need to weaken ^F by adding disjuncts 
which are promises to fulfil (J-'(/3)). Unfortunately, we also have to tightly strengthen the just re- 
sulting weakened new formula (into -^F') by adding conjuncts, in order that the new branches do 
not imply the existence of a K,' linear model of -^F' while <P is FALSE. Finally, it is still possible to 
find such /C' and F' such that /C' 1= 'f'' iff ^ is FALSE (see point A). Then, the proof reduces the 
latter Model Checking problem to a variant of an LTL unsatisfiability problem (see Temp{<P) at 
point B). Finally, the analysis of the AIU{Temp{<P)) (see section C) regarding the AIE{<P) enables 
to show the MF search problem can be reduced to the MU search problem by focusing on mutations 



of the l(j,k) at the state l(j^k)- 



A- tC' N 1^' iff (Z> is FALSE 



Let P' be P augmented with the following variables: /3; Vr < r < 3, 5r, 'Jr', '^i ^ < i < n, fii, 
Vi, LUi, Pi] Vj 1 < j < m, T(^j,k) and C(j,/c) with Cj = \/i<k<kjlit{l(j^k))- For convenience, we define 
Pi, ..,Pq as a state/conjunction with the corresponding literals over P' . For technical reasons, from 
now, we similarly will extend a state pi, ..,Pq of /C to /C' by adding the new (negated) variables to 
the corresponding conjunction. Let the set / — promises — Uo<i<„{ai, fe^; x^} U {/?}. The resulting 
Kripke structure IC' adds the following transitions to /C: 

- (a7|^^o,7o))J'or any i|(5,; = V - iil(j,k),Cu.k),T(^j,k)), {l{j',k'),C{]'.k'),T(^j',k'))) 

- ii^^o),(^i?n)) ^°^ ^"^ J-,J'-,k,k' such that 1 < j,j' < m 

UOi, 7iM/-P™™ses \ iPI, 02, 72 jj thermore /zi(/(,, fc)) is a positive literal. 

- (cj, (/3, (53, 73)) for any j with 1 < j < m ,-^ ' -—. — 

- ((/3X^3),(6.-';X-0) for any * such that " ((&.-i^,-.), (-°, M. ^or any z|Q. = V 
i\Qi=^ ._^_ - ((a;°,Aii,i'i ) I (/--P^^wsesM/?} 1^2,72)) for 

- ((/3,53,73),('o-,fe),C(j,fe),To-,fc))) for any j,fc any j|Q^^_=V ^^ 

such that 1 < J < m and there is no /,fc' - ((Z(j,fc), C(^, ^(j,fc)), /.prorms^^/3}, ^2,72) 

suchthat lit{l(j^k)h^l-it{l{j' ,k')), for any j, fc such that 1 < j < m and such 

- iW7s^3),il(j,k),C{m^n3,k))) for any j, fc there is no j', fc' such that /ii(/(,,fc)) =- 
such that lit{l(^j,k)) is positive, 1 < i < m\^(j',k')) 

m and 3/,fc' such that /zi(Z(,,,)) =^ - ((^^^,)X^^,r^^^,^)J.prorms7?{'{P],6,n2) 
'«t('(j',fc'2)^_^ __^_. for any j, k such that 1 < j < m ,such 3j', fc' 

- {{J. pro- \ {/3}, (52,72), (/-p™- \ {/5},(52,72)) such that lit{l(^j^k)) =~ Utihj^k'))- Further- 

more lij^k) is a negative literal. 

In Figure [5J /C' is supported by all the arrows (with simple or double arrowhead) . Let ^' = 

-(!^,.m.' A icons') with W^mv' = /\^Q^=v[S{^l ^ [(-&»-! V T{l3))Ux°) A (^^(x,!) V -F(/3))])] A 

g((&iAA'(xO)) ^ x2((^x^vJ'(/3))Wa,_i) , and if^on.' = /\{^,j,k,e)\ut(x')=r^Ht(l^^ ,^)Qixt ^ ((-^O'.fc) V 

^(/3))>V&.)) 

A(jj,fc,£)|Ht(a:«)=Ht(io,,)),v/,fc'ijt(;^,_,,)/~'»t(io,/=))^(^j ^ (("'Co.fc) "^ ^'^U.k) V J'(/3))>V6j)) . 

In the following, we show that a /C'-linear model of -^'F' is necessarily a /C-linear model of -itf''. 
This implieflll /C' 1= !f ' iff <P is FALSE: 

" ('o",/c), Co",fe);'''(i,fe)) cannot occur in a /C'- linear model of -1^' because for such a model Vi £ 

[l;n], there exists e, such that xj is the last occurrence of a x^ before the first visit of 

ikj, k)X{j,k),T(j,k))- Furthermore, 

• if there are no j',k' such that lit{l(^jk)) —^ lit{l{ji,k')) then there is a G{x\ =^ {{g V 

J-"(/3))>V&i)) with g £ {"'Co.fc) '^^T(j.k)', ~''(j,fc)} occurring in -i!?"' such that the weak promise 



^^ From a /C-linear model of -•'P we can derive a /C-linear model of -1!^ A Q{{bi A A:'(xi)) => X^((-ia;9 V 
J-"(/9))VVai_i), which is also a AC-linear model of -^^' 



(g V 7^(/3))W6i is postponed from x| to (^(j./t), C(j,fc):'''(j.fc))j but at this latter state J-{p) 
must hold, which is impossible. 

• if there exist j',k' such that lit{l(j_k)) —^ ^it{\j>,k')) then there exists Gixl ^ {{g V 
J-{j3))'Whi)) occurring in -i^' with g G {~^l(j' .k')i~'^j,k)\ such that the weak promise 

{g W J-{l3))'Whi is postponed from xl until the corresponding (^(j',fc')j C(j'.fc')j''"(j',fc')) or 
{hj,k)iQj,k)T'''{j.k))i but at this convenient latter state T{j3) must hold, which is impossible. 
— {bi^i, Pi^uji) cannot occur in a /C' linear model of -i^' . Assume Ad such a model. Let t be the 
last time where Oj-i occurs in M.. Then, either: 

• !^ occurs in TWt, but thanks to g((6,A<Y(a;0)) ^ X^{{-^xlyT{l3))Wa^-i), (-xf'vJ"(/3))>Va,_i 

is postponed from x" to xf^fii^Vi. But at this latter state -F(/3) must hold, which is impos- 
sible^ 

• or x° does not occur in Mt^ but thanks to t/(a~^ => (-'&i-i V T{f5))Ux^)), {^bi-i V 

F{f5))Ux^ is postponed from ai_i to bi^i,pi,uJi. But at this latter state J"(/3) must hold, 
which is impossible. 
^ ((^i, 7i) cannot occur in a /C' linear model of -i!?"' because for such a model, ^(o^Ti => [X^(Xj^) V 
7^(/3)]) implies J^(/3) is propagated from dj^i to ((5i,7i), which is impossible. 

Below, we define 'F/c which stands for /C'. At the next step of the proof, it will enable to reduce 
the MF search problem to a MU search problem for LTL. To do so, we denote Temp{(l>) = 'F/c A^'F' 
with \FjC' defined in the following. It is then straightforward that Teinp{<l>) is unsatisfiable iff <? is 
FALSE. 

B- Temp{<F) = fjc' A -.f ' is unsatisfiable iff ^ is FALSE 

Let Fjci as ^/c' except that the occurrences Q{s =^ X{...)) where s — lj,k are erased. Furthermore 
one adds the conjuncts Q{dj ^ A'^e}) for any j|l < j < m. 

We have Temp{<F) = Fic A -^^' is unsatisfiable iff <1> is FALSE. 

In the following, we analyze that an element of MU{Temp{<F)) corresponds to some maximal 
mutations of propositional variables l(j^k) at the corresponding states l{j.k) in ^' but which the 
resulting mutated Kripke structure still checks Ff^i . This enables to show that there exists a corre- 
sponding element in MF {<!>). 

C- Analysis of a MU{Temp{<P)) 

Let MUo{Temp{<P)) e MU{Temp{<P)). 

1. the universal part Funiv' still occurs in MUo{Temp{<P)): 

— Let i be an integer such that Qi=\/ and assume -i6i_iVJ^(/?) has been substituted by TRUE 
while weakening from Temp{'P) to MU{Temp{^)) at the universal part. Let A4 he a K.' lin- 
ear structure starting with the state 60, which never visits x^ and reaches (6i-i, pi,LUi). From 
(/?, 63, 73), no constraint enables to propagate J^(/3), and any other triggered and postponed 

promises are fulfilled at (/ — promises \ {/3}, 62, 72)- From (/ — promises \ {/3}, 62, 72) any 
constraint from MUo{Temp{<P)) is obviously checked. Then A^ is a model oi MUf){Temp{(l>)), 
which is a contradiction. 



— Let i be an integer such that Qi =y and assume that Q{ai-i => [X'^{x\) M F{(i)\) has been 
substituted by TRUE. Let M he a. JC' linear structure starting with the state 60 j directly 
reaching OiZ^i but by crossing any x\, with \ < i' < i — 1 and from c^Ti follows the solely 

branch where (^1,71) occurs. A^ is a linear model for MUo{Temp{<l>)), because at ((5i,7i) 
any postponed weak promise is solely the remaining subformula {^bi'^i V T{[i))Ux^, or 

{g V J^(/3))W6i' and they are fulfilled at the first visit of (/ — promises \ {/3}, (52, 72)- From 

(/ ~ promises \ {/?}, 82, 72), any constraint from MUo(Temp{<P)) is obviously checked. Thus 
MUo{Temp{<P)) is satisfiable, but this is a contradiction since it is unsatisfiable. Thus, 
MUo{Temp{<l')) does not get any weakening of G{(H^i ^ [X'^{xl)VT{(3)]) for any i\Qi = V. 

— Let i be an integer such that Qi — V and assume that G{{bi-i A X{x'^)) => X^[(^a;° V 
J^(/3))VVai_i]) has been substituted by TRUE. Let Mhe alC' hnear structure starting with 

the state bo, reaching a;°, and going straightforward to the solely branch where {x^,fii, Vi) 

occurs. A^ is a linear model for MUo{Temp{<l>)), because from (/3, (53,73), no constraint 
enables to propagate J^{/3), and any other remaining precedent propagated promises are 

fulfilled at (/ — promises \ {/3}, 62, 72)- From (/ — promises \ {/3}, 62, 72) any constraint is 
obviously checked. Then 7W is a model of MUo{Temp{<l>)), which is a contradiction, 
the consistency part 'I'cons' still occurs in MUo{Temp{<}>)): 

— Assume that Q{x\ ^ {{g V J"(/?))W6i)) with g G {^C,(j,k) V ~^T(j,k)]^hj,k)} has been sub- 
stituted by TRUE while weakening from Temp(p) to MU{Temp{<P) at the consistency 
part. Let M he a. K.' linear structure starting with the state 60, going through xj and di- 
rectly reaching ei and from ei, it follows a branch where (^(j,fc), C(j,fc)' ^(j-*:)) occurs. From 
(/?, (53,73), no constraint enables to propagate J- {13). This is because no weak promis(4^ of 
the form {-^g' V J-"(/3))W6i must hold anymore. As usual, any other remaining propagated 

promises are fulfilled at (/ —promises \ {/?}, (52, 72). Thus MUo{Temp{(l>)) is satisfiable, 

but this is a contradiction since it is unsatisfiable. _ 

MUo{Temp{<P)) getsnoweakenmgm'Fic'\[Ui<j<mWeakestmaXsf+{G{dj ^ X(\/i<k<kjl(j,k))))]- 
Otherwise if there is any weakening in the computation of MUq{T emp{<P)) from 
^K' \ ^i<j<mW eakestmax sf+{Q{dj => X{Vi<k<kjl(j.k)))): then MUo{Temp{(l>)) would be sat- 
isfiable because of the following points. 

— any weakening in a subformula occurrence Q{s =^ A''°(V(s,s')eT'S') of Temp{<P) which is not 
of the form G{dj => X{\/i<:k<kjl(j.k))) leads to at least a weakening of a literal I G lit~^ at s' 
which may lead at a state which is not in JC' . To show this property, consider the s at the 
weakened above subformula occurrence and let pref a prefix linear structure in K.' such that 
its last state is either (1) the s G /C' if A: = 1 either (2) any lj,k while s = dj and fc = 2. Let 
So and si some states over P' , we define |so^si| = |{p|p G (/(so)\^(si))U(/(si)\Z(so))}|. It 
is clear that for any sq and si in /C', |so — si| > 1. Let s" such that s" = s'[l ^^ /]. It is clear 
that |s' — s"\ = 1. It turns out that s" ^ /C'. Let M the linear structure M = pref.s".P' . 
From the state s", MUo{Temp{(l>)) n -^^k.' is trivially checked since s" ^ /C' and P' ^ JC' . 
Furthermore, at the first visit erf the state P' the weak promises postponed and propagated 
from s" are fulfilled, and from P' any propagated temporal constraint from MUo(Temp{<l>)) 
is obviously checked because P' ^ /C'. Thus, M N MUo{Temp{<P)). 



i has been fixed here 



— For similar argument any weakening in s = 60 ensures that a linear model oi MUo{Temp{<l>)) 
is (s')" with s' (^IC'. 

Let H C [1, m] and Sf = Uj^nifj} the subformulaa^H of the form fj — Q{dj ^ X(\/i<k<kjl{j,k))) 
for any j|l < j < m which have been weakened in Temp{(l>) by TRUE at a positive occurrence 

of the variable l(j^k) in ^{j,k) for computing MUo{Temp{(l>)). Then 'P[Ch <— TRUEjh^H is in 

MF{$). 

The reasons are summarized below. 

— ^(3 is not weakened at any l(j^k) in ^-ny /j? Let sq = ('(j,fe): /?)■ Otherwise, a linear structure 
of K, U {sq} which checks the rules of -'^univ' and sometimes which visit the 'weakened' 
state So where j3 S l{so) is a model of MUo{Teinp{<P)) since sq ^ A^' does not propagate 
any new weak promise. This leads to a contradiction. 

— no -ix° is weakened at any l(j.k) in any fj7 Let Sq = {l(^jk),x^)- Otherwise, let M a 

linear structure of /C' U {sq} starting with the state bo, which never visit x^, reaching 

the 'weakened' state sq where a;° G l{so), crossing e, and going directly to {bi-i, pi,uJi). 

First, -i6i \/ F{P))Ux^ is fulfilled at sq- Second, from (/3, ^3,73) , no constraint enable 
to propagate J- {(3), and any others remaining promises of / — promise are fulfilled at 

(/ ~ promises\ {/3}, (^2, 72)- From (/ ~ promises\ {/3},(52,72) any constraint is obviously 
checked. Furthermore, sq ^ /C', thus it does not propagate any new weak promise. Thus, 
A^ is a model of MUo{Temp{(l>)). This leads to a contradiction. 

— no -iai_i is weakened at any l(j^k) in any /j? Let sq — {l(^j^k),o,i-i)- Otherwise, Let M a 

linear structure of /C' U {sq} starting with the state Bq, reaching a:?, displays the 'weakened' 
state So where a^-i G ^(so), crosses Cj and goes straightforward to the solely branch where 

[x^,IJLi,Vi) occurs. First, the propagated (-ix° \J F{(i))Wai^i is fulfilled at so. Second, from 

(/3,(53,73) , no constraint enable to propagate J-{I3), and any others remaining promises of 

/ — promise are fulfilled at (/ — promises \ {/3}, (^2, 72)- From (/ — promises \ {/3}, ^2, 72) 
any constraint is obviously checked. Furthermore, so ^ /C', thus it does not propagate any 
new weak promise. Thus, 7W is a model of MUo{Temp{'P)). This leads to a contradiction. 

— no -ibi is weakened at any l(j^k) in any fj7 Let so = {l(j,k),bi). Otherwise, Let A4 a lin- 
ear structure of M^' U {so} starting with the state bo, which never visit a;^ and that reach 

{bi^i,Pi,uji). First, the propagated (g V J^(/3))W6i is fulfilled at so. Second, from {(3,63,^3) 
, no constraint enable to propagate J- {(3), and any others remaining propagated promises of 

/ — promise are fulfilled at (/ — promises \ {/3}, (52, 72)- From (/ — promises \ {/3}, ^2, 72) 
any constraint is obviously checked. Furthermore, so ^ IC' , thus it does not propagate any 
new weak promise. Thus, 7W is a model of MUo{Temp{'P)). This leads to a contradiction. 

— Let M a. K.' hnear structure and jo ^ H. But, if X 1= {MUo{Temp{(P)))[Occ{l(^j„^k)) ^ 

T RU E], then let Mh JO = -^['o./c') ^ erase][ej ^ erase][dj <- erase]{(^j^k')\jeHu{jo}Mj,k')eCj}- 
According that neither -iai_i,-i&i and -•x'^ are weakened at any state, A4h,jo propagates any 
of the triggered weak promises of types ..Wbi, ...Ux^ or ...Wai_i in MUo{Tem,p{<l>)))[Occ{l(j^,k)) ^ 
TRUE] exactly as in -■•Z'', thua^i the states of Mh.jo actually lies (if one renames the vari- 



^* One formula per j is sufficient 
^^ As for point A of the (proof) 



ables) in 1C^[c,^true],^„^^,^^ C ^'^[c,^TRUE],^„^^,^y Furthermore, remark that since 
-i/3 is not weakened too, then any fulfiUing state from M. is still in Mh.jq- By renam- 
ing the remaining index j' in A4h,jo ^^"^ projecting over the propositional variables of 
Temp{<P[Cj ^ TRUE]j^Hu{j„})), we have Mh.j„ ^ {Temp{'^[C, ^ TRUE]^^hu{jo})) be_ 
cause the weak promises of Temp{<P[Cj <— TRUE]j^ijij^jgy) are still eventually fulfillecl^^l 

at the remaining states &i|jo, Oiijo or 2;°,. {J-{P) cannot be triggered because it would 
not be fulfilled in /C[ ). Thus, {^[Cj ^ TRUE]j^hu{jo}) ^^ satisfiable for any jo, since 
MUo{Temp{^)) is a MU. 
- Assume {<l'[Ch <- TRUE]j^h) is satisfiable, then Temp{(p[Cj ^ TKUE]j^h) is satisfiable 
with a model M.h ranging over ICp^c ^true] -^h- By renaming the index j let Ai = A4h 
{bo),MH (bi),---, A^_f/(dj),7VJ//(0), A^//(e5)... which is Mh into which some states have 
been added, some propositional variables have been added, such that the resulting linear 
structure is almost in /C. Precisely, if any is substituted in M by the corresponding /(^ j.) ( 
weakened at MUo{Temp{^), so j G H ) the modified linear structure is now a A^-linear 
structure . Since, ^ /C', Ai does not trigger any new weak promise from MUo{Temp{'P)) 
w.r.t. Temp{<l>[Ch <— TRUE]j^h)- Furthermore, since any propagated weak promise which 
is fulfilled of Temp{<P[Ch ^ TRUE]j^h), is also fulfilled for MUo{T emp{<P)) , and since 
the remaining consistency part of MUo{Temp{'P)) never triggers a J^{(3) because there is 
no visit at a state where l(j^k) holds for j G H, then A4 N MUq {Temp {<!>)). But this is a 
contradiction since MUa (Temp {(!>)) is unsatisfiable, i.e., {'l>[Ch <— TKUE]h,^H) can solely 
be FALSE. 

Since the FPSPACE complete MF search problem is Logspace reducible to the MU for LTL 
search problem, the FPSPACE hardness is shown. 

Consider now the Inherent Non Vacuity (INVac) search problem, i.e. searching a limit strength- 
ening h of 5 such that h = g. Let g = -^[{Temp{<P) Au)\/ {-^Temp{(l>) A^u)] . An INVac strenghtening 
h of g is such that u is at TRUE in h iff Temp{<P) is unsatisfiable. Furthermore in this case, the weak- 
ening of Temp{<l>) at h is minimal, i.e. it is in MU{Temp{(l>)). We deduce, the following corollary. 

Corollary 2. (INVacocc{sf)-search) Given a LTL formula f , searching an inherent non vacuous 
strengthening of J (for single occurrences) is FPSPACE-complete 

4 Conclusion 

We have shown that the MF search problem, the (LTL) MU search problem and the (LTL) INVac 
search problem are FPSPACE Complete. Furthermore, we have shown that the MU-dec and the 
Inherent Vacuity checking decision problem are PSPACE complete. Although deficiency is the 
Backbone of lower Complexity Bound in the QBF case [21 , no corresponding bound exists for 
LTL. 
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